I’m quite exercised by the ‘theft’ of my e mail address by spammers who harvested it on the web to send hundreds or perhaps thousands of e mail messages with attached viruses and other detritus to other unsuspecting e mail users. Besides the mayhem inflicted on the unsuspecting, I’m also getting scores (it was hundreds until this week) of ‘delivery failure’ notices from the domains whose users are receiving ‘my’ bogus e mails. I spend 15% of my time when using e mail in just cleaning up my Inbox. It’s incredibly annoying. See my original post on this subject, Spammers Steal E-Mail Addresses
I think the ultimate solution to this problem will come from the user community which will (hopefully and soon) rise up in anger against this abuse and demand that either the FCC or the ISPs or both do something to stop this fraudulent use of e mail addresses by spammers. Consumers have already done this regarding the national Do Not Call registry. Even George Bush, the pol who never met a corporate donor he didn’t like, was forced (against his entire political instincts) to sign the legislation because of the groundswell of support in the U.S. Much as he would’ve loved to veto this bill, he knew he couldn’t. We need that type of national will and consensus to tackle the e mail theft issue.
After posting to news.admin.net-abuse.email, Keith responded with a cogent and interesting post that proposed several possible solutions to the problem. See his original post How to Solve the Problem of Stealing E-Mail Addresses or read it below:
There are a variety of things that could be done, ranging from nothing, to setting up a separate verified high security email system completely separate from what we have now with its own set of rules designed to maximize security.
Why don’t ISPs do something about it? Email is free so where is the profit? So them fixing it is really really unlikely.
More likely are:
1. The Homeland Security Tsar mandating that the existing email system be made secure on a mandatory basis, with life in jail for those who fail, no matter country of residence or citizenship, and
2. Some entrepreneur setting up their own email network, with franchises around the world, that verifies the sending person or sending computer before accepting and delivering the email, and that ensure that all the email it carries in encrypted.
People could then email with the current system when they wanted anonymity, and with the private system when they wanted security and assurance as to whom they are dealing with.
Possibly the assurance as to identity would be provided by a memory key that plugs into a USB port, or data on a diskette. Perhaps it might include the use of biometrics.
I’m actually kind of surprised that neither M$ nor AOL has taken this on.
I think one could deliver something like this with not much more than webmail and whatever hardware is necessary for the key, which would make it something M$ would be good at. A paid extra for Hotmail to Hotmail communications, involving pieces of plastic and circuitry people would pay for, and providing the level of proof of identity that commercial and academic institutions were used to in the decades before the Internet (when there were letters of introduction, in-person contacts, and handwritten signatures).
With ones own network it could be done with even more security, which would be something AOL has the resources for.
The major downside with a separate email system is whether the other party to the email is on it. If you interlink the 2 systems, there is very little security on the current system and the new system can’t do much to correct for that.
It would also be a big change for people. On the secure system you’d be identifiable (perhaps just to law enforcement with a subpoena, or perhaps to everyone), perhaps just one secure email address per person. No multi-identities in newsgroups. No anonymous letters to the editor. No cowards, cranks and bored people flaming with anonymity and impunity. (Unless they were using the old current email system.)
I remember back before the Internet became popular. One of the advantages of AOL over Compuserve (Compuserve was #1), was that with AOL could could easily change identities. With Compuserve you could change names, but people could see your account number. Put your account number into some third party products, and you could see the history of what screen names people had given themselves.
So the third and fourth factors preventing better email security are the large element in the Internet user community that wants anonymity, not just privacy, and the large very conservative change resistant component in the Internet administration community.
BTW, just joking about the Homeland Security Tsar. Have to put some humor into this subject, because I don’t see anyone making moves to provide an alternative to the current low security email system soon.